Court rules that a warrant is needed to read your email

After many years of legal uncertainty, a federal appeals court has finally declared that emails have the same Fourth Amendment protections as regular mail and telephone calls.

“Given the fundamental similarities between email and traditional forms of communication, it would defy common sense to afford emails lesser Fourth Amendment protection,” the Sixth Circuit Court of Appeals ruled (PDF).

If the ruling is not overturned by the Supreme Court, it will put an end to the practice of law enforcement agents using court orders, rather than warrants, to gain access to emails. Court orders require a much lower standard than warrants.

Just a clarification: The ruling says a warrant is needed for the government to read your email. Your company requires no such warrant.

You mean for company email systems, right? Because this would seem to be extending personal email the same privileged status as a sealed letter, regardless of whether you send it on their computers.

The problem with that analogy is what questioning what exactly constitutes “sealed” email. Unencrypted email, which is the majority of email, is a lot more like postcard in that it is easily read by all parties who have it pass through their hands during delivery. That makes the constitutional issues a lot trickier, since postcards typically don’t enjoy much in the way of fourth amendment protections from my understanding.

Just as with “sealed”, I believe a postcard falls short as an analogy as well (while still remaining useful to a point). The interpretation that would appear logical to me is that just because an unencrypted email can (in practical terms) be viewed without tampering that’s noticeable to the sender or recipient doesn’t mean that you can (in legal terms) do so without a warrant. I’m looking forward to seeing what Volokh and others end up saying on the topic.

I agree the postcard analogy is not perfect. Where it really falls down is the expectations of privacy. An average person will understand that sending a postcard means that anyone can read it, because it’s obvious that it must pass through many hands to be physically delivered. The average modern American does not, on the other hand, understand at all how email works. Unencrypted email is just as easily readable as a postcard and must pass through the hands of many servers (and their admins) on the way to being delivered, so it’s really no more private than a postcard but the expectation of many people is that it is just as private as a letter. I’m not sure which is going to sway judges more, the idea that people have an expectation of privacy or the technical reality that unencrypted communications represent not even a token effort at any real privacy.

I halfway suspect encrypted email communications as a matter of course will become the norm someday, but that’s a lot more dependent on how the legal precedents shake out than any technical advances.

Interesting thoughts. One wonders if something as simple as an XOR (which is completely insecure but renders e-mail unreadable to the “passing eye”) would suffice for the purpose of requiring a warrant. Would that qualify as a legal analogue to an envelope?

I disagree. The only requirement for reading a post card is being able to read, the requirements to intercept email are considerably larger. A post card can be read accidentally and incidentally (because when we see words we read them, intentionally or not) through normal handling of the post card since actual humans handle mail. Normal handling of an email never crosses the vision of an actual human being, it’s entirely automated such that accidentally or incidentally reading it simply cannot occur. Someone must actively investigate the contents of the email. This would be the same as opening a letter, reading the contents and then resealing it, there isn’t any encryption on letters after all and they’re easily compromised should some wish to read it.

Email doesn’t physically pass through anyone’s hand, computers do all the handling. I’d argue, due to the fact that reading a particular email requires an action outside of the normal handling of the email that it’s the same breach as opening someone’s physical mail and reading it. There is no expectation that a human being will observe the contents of an email through it’s normal delivery procedure regardless of how easy it may be to do so.

I halfway suspect encrypted email communications as a matter of course will become the norm someday, but that’s a lot more dependent on how the legal precedents shake out than any technical advances.

Probably, it would have been nice if email was encrypted from the beginning.

edit: also I’d believe it if someone said that if an investigator wanted the contents of a post card they would still need a warrant to legally obtain and submit it as evidence.

Working in IT now, I can foresee a time when this might not be the case. Things have changed dramatically in the way we are coached to handle client systems and I fully expect this might be a situation in which privacy laws, even in the workplace, will eventually catch up. I’m not sure what that will mean for intra-company investigations, but I’m sure they will adapt.

Just this year, a court ruled that an employer did not get the right to read personal email used by an employee at work on a non-hosted email system (Yahoo I think,) even though an acceptable use supposedly granted the company the right to intercept that communication (i.e. no reasonable expectation of personal privacy.)

Quick edit: I should note that in the case above, it was related to emails from a user to her attorney, and that had a bearing in the decision. Even still, it affects the nearly open ended rule set that companies currently use for acceptable use and privacy.

The funny thing is that the government is still tapping our phone lines without a warrant, and the companies that were complicit in setting that up got retroactive immunity, so why does this decision matter in the slightest?

Well, I should think the distinction should be pretty clear.

If a police department or the FBI wants to tap the phones or read the email of known non-terrorist criminals, they need a warrant. It’s only if the subject is vaguely suspected of association by ethnicity with some speculative form of terrorism that all bets are off.

So if your name is Carlo and you’re the capo di tutti capi in northern New Jersey, your email is safe from casual surveillance, and if they do inadvertently steal your email without a warrant, that will actually make you happy because that means you’ll get off in court.

But if your name is Musa and you’re a third generation Lebanese immigrant living next door to Carlo, your email is fair game, and you can’t contest it in court because they won’t give you a lawyer in your contracted Romanian prison anyway.

Interesting stuff. Of course, many companies will block personal email portals. I wonder if a posting of “anything you do on your work computer is accessible by your place of employment without notice at any time” might provide a workaround - to your recollection, was anything like that involved in the case in question?

It is in most. It’s one of the reasons why I use Google for my personal email, effortless encryption.

That’s a terrible analogy. Email is far more like a letter in an envelope, as no, it does not cross right in front of you in plain text – you have to go out of your way to “steam” open the “envelope” and look at it.

One does not accidentally spy on email going over the network, or stored on a server, whereas writing a postcard legitimately yields no expectation of privacy.

It’s a small step, true. Still, I’m not yet jaded enough to believe that (further) change for the better isn’t possible.

In a landmark decision issued today in the criminal appeal of U.S. v. Warshak, the Sixth Circuit Court of Appeals has ruled that the government must have a search warrant before it can secretly seize and search emails stored by email service providers. Closely tracking arguments made by EFF in its amicus brief, the court found that email users have the same reasonable expectation of privacy in their stored email as they do in their phone calls and postal mail.

And also, separate but related:

In EFF’s second major privacy victory in as many days, the Third Circuit Court of Appeals today denied the government’s request that it reconsider its September decision regarding government access to cell phone company records that reveal your past locations. That means the court’s original opinion — holding that federal magistrates have the discretion to require the government to get a search warrant based on probable cause before obtaining cell phone location records — is now the settled law of the Third Circuit, assuming the government doesn’t seek review by the Supreme Court. Importantly, this victory won’t just provide greater protection for the privacy of your cell phone records but for all other communications records that the government currently obtains without warrants.

It’s somewhat of a fringe case, mostly due to the mix of lawyer-client privilege. Of note though, the company had a policy similar to what most workplaces have, “a written Internet usage policy that warned all employees that the company reserves the right to intercept and disclose “all matters on the company’s media systems” at any time without notice.”

The part that got them, though, was the interception of emails to her legal counsel, “Following opinions from courts in Massachusetts and New York, the Supreme Court disagreed with Loving Care and held that the emails sent from her personal, password-protected email account were absolutely privileged from disclosure—regardless of the company’s comprehensive prohibition on personal Internet use.”

To your question though Dan, we got word of this due to the request to reword our acceptable use following one of our corporate legal folks seeing the case writeup.

A writeup of the case: